From dab688f055a9b368b21b959597e344189c39a18c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Serta=C3=A7=20=C3=96zercan?=
 <852750+sozercan@users.noreply.github.com>
Date: Wed, 3 May 2023 17:35:05 -0700
Subject: [PATCH] ci: bump trivy version (#2737)

---
 .github/workflows/workflow.yaml | 8 +++-----
 .trivyignore                    | 3 +++
 2 files changed, 6 insertions(+), 5 deletions(-)
 create mode 100644 .trivyignore

diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml
index 08f901fb399..25796993354 100644
--- a/.github/workflows/workflow.yaml
+++ b/.github/workflows/workflow.yaml
@@ -291,11 +291,11 @@ jobs:
           tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
           echo "$(pwd)" >> $GITHUB_PATH
         env:
-          TRIVY_VERSION: "0.36.1"
+          TRIVY_VERSION: "0.41.0"
 
       - name: Run trivy on git repository
         run: |
-          trivy fs --format table --ignore-unfixed --skip-dirs website --security-checks vuln .
+          trivy fs --format table --ignore-unfixed --skip-dirs website --scanners vuln .
 
       - name: Build docker images
         run: |
@@ -308,7 +308,5 @@ jobs:
       - name: Run trivy on images
         run: |
           for img in "gatekeeper-e2e:latest" "gatekeeper-crds:latest"; do
-            for vuln_type in "os" "library"; do
-              trivy image --ignore-unfixed --vuln-type="${vuln_type}" "${img}"
-            done
+              trivy image --ignore-unfixed --vuln-type="os,library" "${img}"
           done
diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 00000000000..b583a1d2c18
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1,3 @@
+# false positive due to prometheus versioning
+# https://github.com/aquasecurity/trivy/issues/2992
+CVE-2019-3826